Main navigation - Mobile

HHS updates OCR's data breach reporting tool

Heeding calls from health IT groups and one Texas lawmaker, HHS has restructured OCR's breach-reporting portal.

The Department of Health and Human Services has rolled out several changes to its breach-reporting portal, which lists healthcare data breaches of 500 or more patient records dating back to 2009.

The updated webpage, commonly referred to as the “wall of shame,” isolates data breaches reported within the last 24 months that are currently under investigation by the Office for Civil Rights (OCR). A separate archived tab lists “all resolved breach reports and/or reports older than 24 months.”

Previously, breach reports dating back to 2009 were listed together on a single page. It appears none of the breach reports have been removed from the site.

In an announcement describing the changes to the HIPAA breach portal, HHS said the updates include “improved navigation for both those looking for information on breaches and ease-of-use for organizations reporting incidents.”

“HHS heard from the public that we needed to focus more on the most recent breaches and clarify when entities have taken action to resolve the issues that might have led to their breaches,” HHS Secretary Tom Price, M.D., said in a release. “To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned consumers.”

Overall, modifications to the webpage are relatively minor. Last month, FierceHealthcare reported that HHS officials were considering changes to the breach portal after Rep. Michael Burgess, M.D., R-Texas, raised concerns that it was unnecessarily punitive, particularly for hospitals that are fighting off large ransomware attacks.

HHS is limited in what it can change without congressional approval, since the breach portal is mandated under the HITECH Act. After officials said HHS was considering changes to the breach portal, privacy experts said the most likely modification would be how long an entity remains on the website.

Still, Mari Savickis, vice president of federal affairs at the College of Health Information Management Executives (CHIME), called the changes to the breach portal “a step in the right direction.”

“We’re really pleased to see that they are heeding some of our calls around the issue by trying to take a more refined approach to the way information is depicted,” she said.

David Holtzman, vice president of compliance strategies with CynergisTek, who previously served for eight years as a privacy adviser at OCR, said the changes to the breach portal are an improvement over the old format. But he also pushed back against the notion that the reporting tool “victimizes the victim,” a common phrase that has been used by those who believe the “wall of shame” is overly punitive.

“It misplaces who is the victim,” Holtzman said. “The victim is not the healthcare organization, but the patient whose information was disclosed.”

“Organizations that don’t want their names peppered across this wall of shame are making the effort to encrypt [patient health information] throughout its life cycle,” he added.